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Abstract 

We characterize the complete set of protocols that may be used to securely encrypt n 
quantum bits using secret and random classical bits. In addition to the application of such 
quantum encryption protocols to quantum data security, our framework allows for generaliza- 
tions of many classical cryptographic protocols to quantum data. We show that the encrypted 
state gives no information without the secret classical data, and that 2n random classical bits 
are the minimum necessary for informationally secure quantum encryption. Moreover, the 
quantum operations are shown to have a surprising structure in a canonical inner product 
space. This quantum encryption protocol is a generalization of the classical one time pad 
concept. A connection is made between quantum encryption and quantum teleportation|l[, 
and this allows for a new proof of optimality of teleportation. 

1 Introduction 

We consider informationally secure encryption protocols, where any potential eavesdropper, Eve, 
will have no information about the original quantum state, even if she manages to steal or intercept 
the entire encrypted quantum data. This scenario is very different from the well-known scheme 
of quantum cryptography, which in the usual sense^, |j is really a secure expansion of an existing 
classical key, using a quantum channel and a pre-selected set of quantum states. The resulting 
secure bits might then be used for an encryption algorithm on classical data. But suppose one is 
concerned with securing quantum data, as is the case considered in this paper. Extending ideas 
from QKD (such as testing bits in conjugate bases), one might show that given the test is passed, 
the quantum bits are also secure. However, this case is ill-suited to data security as opposed to 
communication security. For the tasks targeted in the paper, we need a method to make sure that 
even if the eavesdropper takes the quantum data, she will still learn nothing about the quantum 
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information. In this case, the eavesdropper may not care about passing any tests, and may remove 
the qubits and replace them with junk. 

We provide a simple method to get informationally secure encryption of any quantum state 
using a classical secret key. This could have several interesting applications. For example, if we 
imagine a scenario where good quantum memories are expensive, one might rent quantum storage. 
Security in such a public-storage model would be a high priority. We assume the user cannot store 
quantum data herself, but can store classical data. Methods of using trusted centers for quantum 
cryptography have been developed §. Our method would allow a user to encrypt her quantum 
data using a classical key and allow a potentially malicious center to store the data, and yet she 
would know that the center could learn nothing about her stored quantum data. Additionally, 
the untrusted center could act as a quantum communication provider. Several other applications 
which involve adaptations of classical cryptographic protocols, such as quantum secret sharing 
using classical key, are outlined later in the paper. 

2 Classical Informationally Secure Encryption 

If M is the random variable for the message, and C is the random variable for the ciphertext (i.e., 
output of the encryption process), then Shannon defined informationally secure cryptography in 
the following wayQ: 

I(M; C) = H (C) - H (C\M) = . (1) 

The above relationship implies p{c\m) = p(c), i.e., that the ciphertext, c, is independent of the 
message, m. Since one must be able to recover the message from the ciphertext given the key, 
one must also satisfy I(M;C\K) = H(M). Hence, the secrecy condition combined with the 
recoverability condition imply that H{K) > H(M) and H(C) > H(M) for informationally secure 
cryptography. 

An example of informationally secure cryptography is the one time pad||. The message m is 
compressed to it's entropy, and then a full-entropy random string of length H{M) is chosen and 
called k. Then, the ciphertext is c = m © k. Given c, one knows nothing of m, but given c and 
k, one has m exactly. 

This same one time pad approach may be applied in the quantum case. 

3 Encryption of Quantum Data 

Alice has a quantum state that she intends either to send to Bob, or to store in a quantum memory 
for later use. Eve may intercept the state during transmission or may access the quantum memory. 
Alice wants to make sure that even i/Eve receives the entire state, she learns nothing. Toward 
this end, any encryption algorithm must be a unitary operation, or more specifically a set of 
unitary operations which may be chosen with some distribution. It must be unitary because one 
must be able to undo the encryption, and any quantum operation that is reversible is unitary @. 
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The most general scheme is to have a set of M operations, {Uk}, k = 1, . . . , M, where each 
element Uk is a 2 n x 2™ unitary matrix. This set of unitary operations is assumed to be known to 
all, but the classical key, k, which specifies the U/~ that is applied to the n-bit quantum state, is 
secret. The key is chosen with some probability pk and the input quantum state is encrypted by 
applying the corresponding unitary operation Uk- In the decryption stage, U\ is applied to the 
quantum state to retrieve the original state. 

The input state, p, is called the message state, and the output state, p c , is called the cipher- 
state. The protocol is secure if for every input state, p, the output state, p c , is the totally mixed 
state: 

Pc = J2p(k)UkpUl = -I . (2) 
k A 

The reason that p c must be the totally mixed state is two fold. First, for security all inputs must 
be mapped to the same output density matrix (because p c must be independent of the input). 
Second, the output must be the totally mixed state because the totally mixed state is clearly 
mapped to itself by all encryption sets. 

To see that this is secure, we note that Eve could prepare an n-bit totally mixed state on her 
own. Since two processes that output the same density matrices are indistinguishable ||, anything 
that can be learned from p c can also be learned from the totally mixed state. 

The design criterion is to find such a distribution of unitary operations {pk, Uk} that will map 
all inputs to the totally mixed state. A construction of such a map is given next. 

4 A Quantum One Time Pad 

The algorithm is simple: for each qubit, Alice and Bob share two random secret bits. We assume 
these bits are shared in advance. If the first bit is she does nothing, else she applies a z to the 
qubit. If the second bit is she does nothing, else she applies a x . Now she sends the qubit to 
Bob. She continues this protocol for the rest of the bits. 

We now show that this quantum one time pad protocol is secure. First note that this bit- 
wise protocol can be expressed in terms of our general quantum encryption setup by choosing 

n n 

p k = l/2 2n and U k = X a Z? (a, /3 6 {0, 1}™), where X a = (g) cr£ (i) and Z p = (g) of Thus X a 

i=i -i=i 

corresponds to applying a x to the bits in positions given by the n-bit string a, and similarly for 
Z 13 . Next, define the inner product of two matrices, M\ and M2, as Tr^MxM^)- If the set of all 
2 n x 2 n matrices is seen as an inner product space (with respect to the preceding inner product), 
then one can easily verify that the set of 2 2n unitary matrices {X a Z@} forms an orthonormal 
basis. Expanding any message state, p, in this X a Z^ basis gives: 

p = J2^X a Z^ , (3) 
where a a ^ = Tr(pZ^X a )/2 n . Using this formalism, it is clear that the given choice of pk and Uk 
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satisfies eqn. (0), and hence the underlying protocol is secure: 



2 2r - 

k 7,5 

= ^J2 a ^J2 xlzSxaz " z5xl 

ot,/3 7,<5 

1 

ot,f3 7,(5 

<x,P 

= a 00 / = ^/=-I (4) 
u,u 2 n 2 n 

5 An Equivalent Problem 

Since there are a continuum of valid density matrices, the quantum security criterion (||) can be 
unwieldy to deal with. Here we introduce a modified condition that is necessary and sufficient for 
security. 

Lemma 5.1 An encryption set {pk, Uk} satisfies eqn. (||) if and only if it satisfies: 

M 

Y / P(k)UkX a Z^ul = 6 a , Sf3 >0 I . (5) 

k=l 

Proof: To show that the above condition is sufficient, express p in the X a Z 13 basis, as was 
done in eqn. (Q) and apply the eqn. 

M M I \ 

J2p(k)U k pUl = J2p( k ) U k\zZ a ^ xazP )Ut 

k=l k=l \a,/3 J 

M 

= zZ a ^J2p( k ) u k xaz/3u l 

a,P k=l 

T Tr{p) 1 
u ' u 2 n 2 n 

To show that the modified condition eqn. (0), is necessary is somewhat more involved. First 
let us introduce some new notations: 

I + a, I 
Pi = — 5 — a Pmix = 2 ' 
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The proof may be obtained by induction. Suppose all X a with \a\ < k are mapped to zero by 
the encryption process. Now consider the following product state of n — k — 1 mixed states, with 
exactly k + 1 pure states p x : 

P = Pmix ® Pmix ® ■■■ <8> Pmix ® Px ® Px ® ■ ■ ■ ® Px 

By expanding the above becomes: 

P = L + ly'xo + lx^ 1 - 1 

Q = l 

In the above we use decimal numbers where before we defined X a with a in binary; hence 
X 3 = X 00 --- 011 . When the above p is encrypted we know that is mapped to itself. By 
assumption X a with \a\ < k is mapped to zero, hence the sum in the expansion of p disappears. 
Since p must be mapped to ^r, then the last term in the above, which is X a with \a\ = k + 1, 
must be mapped to zero. By permuting the initial input states, all X a with \a\ = k + 1 must be 
mapped to zero. The case where k = 1 is our base case. By induction all X a are mapped to zero. 

If x is replaced by z in the above, then all Z 13 are mapped to zero also. If x is replaced by y 
and using the fact that all X a and Z 13 are mapped to zero, one sees that all X a Z 13 are mapped 
to zero, which proves the lemma. 

I 

Thus, by using a basis for the set of 2 n x 2 n matrices, the condition for security becomes 
discrete, and only 2 2n equations need to be satisfied by the set {pk,Uk}. The above lemma will 
be useful for showing necessary conditions on encryption sets. 

6 Characterization and Optimality of Quantum One-Time Pads 

So far, we have provided one quantum encryption protocol based on bit-wise Pauli rotations, 
which uses 2n random classical bits in order to encrypt n quantum bits. In this section we 
explore the following questions: (1) What are some of the other choices of {pk, Uk} that can be 
used to perform quantum encryption? In general, can one precisely characterize all possible valid 
choices of {pk, Uk} 9 - and (2) Is the simple quantum one time pad protocol optimal? That is, can 
one encrypt n-bit quantum states using less than 2n random secret classical bits? First, we prove 
a sufficient condition for choosing a secure encryption protocol, and then provide a corresponding 
necessary condition as well. In particular, we show that one cannot perform secure encryption of 
n-bit quantum states using less than 2n random classical bits. 

Lemma 6.1 Any unitary orthonormal basis for the 2 n x 2 n matrices uniformly applied encrypts 
n quantum bits. 

Proof: We can always write the matrices, Uk, in terms of the X a Z 13 basis as 

U k = Y,C k a , p X-zP . (6) 
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Since these U^s form an orthonormal basis, the 2 2n x 2 2n transformation matrix C, comprising 
of the transformation coefficients, is a unitary matrix. Hence, the rows and columns of C are 
orthonormal: 

M 

E C "A C ",sT = <Wr%* and E C^(C 1 ^)* = 5 k>l . (7) 

k=l a,/3 

By substitution of Uj- in (Q) the lemma is obtained: 

fc k \a,f3 ) \7,5 , 

fc a,/3 7,5 



iEE(E^/) x^V^ 

tt,3 7,(5 V k / 
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a,/3 7,(5 



2 2 
2 n 
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Lemma 6.2 Given any quantum encryption set, {pk,Uk}, k = 1,---,M, (i.e.,E?*fc = 1> ^fc is 

k 

unitary, and eqns. (0) and (0) are satisfied), let [7 fc = vW* = ^C^X a Z p , and let C be 

a,/3 

the M x 2 2n transformation matrix, comprising of the transformation coefficients (7* ^ . Then 
M > 2 2n , and 



Proof: {pk,Uk} satisfies eqns. @ and @. Hence, for every £, m G {0, l} r 



M 

fe=l 

M 

t 



E t4^ m tv 
fc=i 

E E E C^ p {C^yx a Z^X l Z m Z s xri 

fc=l a )( S 7,(5 
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/ M \ 
a,/3 7,(5 \fc=l / 

= E (£(-if^+^ (E cU^ +P+Wg+ J*l) 

P,1 \a,/3 \k=l ) J 

Using the linear independence of the X p Z q , only the identity component is non-zero. Hence 
security implies: 



/ m \ 

El i\l3-£+a-q I P^k i Pik \* 1 

a,B \k=l ) 



= E {- l f 4+a ' q ^,o i +p+^5,l3+q+ m [ E CaA^^sT ) (8) 
a,/3,7,<5 \fc=l / 

As it will be evident, the second step in the above equation will be used to introduce a linear 
algebra formulation of the problem. Now, let 

M 

*(a,/3),(7,<5) = E CaA^^s)* > 
fc=l 



which is the standard inner product of the (a, j3) th and the (7, 5) th columns of C or (c^C^j 
and let 



(a,/3),(7,<5) 



P+q+m 



Eqn. (||) can now be written as a set of 2 4n linear equations: M\l/ = [10 • • • ] T , where is 
the 2 4n x 1 vector consisting of all the possible inner products of pairs of columns of C, and M 
is a 2 4n x 2 4n matrix with elements from the set 1,0,-1. Next we observe that a matrix A is 
orthogonal if and only if J2j ^ij^i'j = A%&i,i'-> where Aj is the norm of the i th row (which must 
be greater than zero). One can easily verify that M is an orthogonal matrix: 

E M(£, m ,p,g),(a:,/?,7,(5)M(£/ >m i y , q >),(a,(3,~/,&) 

= E i~^) l3 ' e ' +a ' q ^l,ct+p+l^8fi+q+m{ — ^' e ' +a ' q 8 lta +p'+l'5s,l3+q'+m' 
a,/5,7,5 

= E ( _ ^ '^ +e '^ +9 ^J,a+p+l^S,P+q+mSj, a +p'+l'^S,P+q'+m' 
a,/3,7,5 

El i\P-(e+i')+a-(q+q') X r 
(-1J V ' ^ 'dp+l, P >+l'C>q+m,q'+m' 

= 2 2n $l,l'()q,q>fip+l, P '+l'$q+m,q>+m> 
= 2 2r l 5l,l>5q, q i5p,pi8 m ^ m i . 
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In showing the above we have also found the inverse of M. The orthonormality of M means that 
MM T = 2 2n I, and hence M" 1 = M T /2 2n . Therefore, * = MT[1 2 °„"° ]T , which means * is the 
first row of M renormalized: 

,t. M (0i0;0;0)(ai/ 3 i7 ^ ) 1 
*(a,/9),(7,«) - 2^ - ^ d «,7%« ' 



Since (&C) = *(a^),( 7 ,5) we have 



Since I 2 2 ' i x2 2n i s a f un rank matrix, then C must have at least as many rows as columns. C has 
2 2n columns so M >2 2n . I 

Theorem 6.3 Any given quantum encryption set, {p^, U^}, k = 1, • • • , M, (i.e., Pk = 1, Uk is 

k 

unitary, and eqns. @ and @ are satisfied) has: 

A/ , 

H(pi,---,Pm) = Vfilog— > 2n. 

Hence, one must use at least 2n random classical bits for any quantum encryption. Additionally, 
if M = 2 2n , then pk = and Uk's form an orthonormal basis. Hence, a set {pp., Up.} involving 
only 2n secret classical bits is a quantum encryption set if and only if the unitary matrix elements 
form an orthonormal basis, and they are all equally likely. 



Proof: By Lemma 3.2 we have that 



o9n z 



22n z xz 

Using a singular value decomposition Q of C, we have the following relationships: 

C = WKV\ C ] C = y(A+A)yt, and CC 1 " = W{KK ] )W ] , 

where TV and V are M x M and 2 2n x 2 2n unitary matrices, respectively, and A is an M x 2 2ra 
diagonal rectangular matrix: A(i,j) = Aj^j.Note that A^A and AAt are real diagonal matrices 
and have the same non-zero elements; hence, C^C and C& have the same non-zero eigenvalues. 
Since C'C has 2 2n repeated eigenvalues (= ^r) and M > 2 2n ,CC^ has 2 2n repeated eigenvalues 
(= 2^r) and the rest of its M — 2 2n eigenvalues are 0. Also note that the diagonal entries of C& 
are the probabilities p^s and hence, 

Pk = — U ^ Jk = (C&) h>k = ^ \ W ^\ 2 ^ ^ • 



8 



The above uses the facts that since W is unitary, Ya=i \ Wi t k\ 2 = 1 an d that M > 2 2n . Hence, 



M , M 



H(pi, ■ ■ ■ ,pm) = J2P ilo & — - 2n ^Pi = 2 



n . 



i=l » i=i 



In the particular case where M = 2 2n , we have C& = &C = ^2^"/2 2ri x2 2n • Hence 



TrjUkUj) _ _L_ 
2«. "J 2 2 « ' 



which gives = ^r, and that the set {Uk} necessarily forms an orthonormal basis. The proof 
is completed by observing that by lemma 6.1 any unitary orthonormal basis applied uniformly is 
sufficient. I 



7 Encryption vs. Teleportation and Superdense Coding 

One of the most interesting results in quantum information theory is the teleportation of quantum 
bits by shared EPR pairs and classical channels Q. The quantum one time pad described in 
Section |I] could be implemented using the usual teleportation scheme by encrypting the classical 
communications with a one time pad. Hence, teleportation gives one example of a quantum 
encryption algorithm. In the original teleportation paper [|J a proof that two classical bits are 
required to teleport is given. The proof is based on a construction that gives super luminal 
communication if teleportation can be done with less than two bits. This proof however does not 
imply that all quantum encryption sets require 2n bits. To do so would require one to prove that 
all quantum encryption sets correspond to a teleportation protocol. On the other hand, as we 



show next, all teleportation protocols correspond to a quantum encryption set; hence, Theorem 6.S 
provides a new proof of optimality of teleportation. 

A general teleportation scheme can be described as follows: Alice and Bob share a pure 
state comprising 2n qubits, pab, such that the traced out n-bit states of Alice and Bob satisfy: 
PA = Pb = Next, Alice receives an unknown n-bit quantum state p, and performs a joint 
measurement (i.e., on p and pa), which produces one of a fixed set of outcomes m^, k = 1, . . . , M, 
each with probability The particular outcome rrik is classically communicated to Bob using 
H(pi, . . . ,pm) bits. Bob performs a corresponding unitary operation Uk on his state to retrieve 
p. Hence, after Alice's measurement (and before Bob learns the outcome), Bob's state can be 

M 

expressed as ps = ^rJ = y]p(k)UkpUk, which is exactly the encrypted state of the message, p, 

fc=i 

defined in Eqn. (g). Hence, every teleportation scheme corresponds to an encryption protocol 
{Pk,Uk}- Since we prove that all quantum encryption sets require 2n classical bits, then all 
teleportation schemes must also require 2n classical bits. Note that our proof only relies on the 
properties of the underlying vector spaces. 
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Superdense coding[lC] also has a connection to quantum encryption. Consider the case where 
Alice asks Bob to encrypt something and then Alice wishes to learn the key that Bob used to 
encrypt. In the case of the classical one time pad || c = m © k, and so given a message and it's 
accompanying ciphertext, one learns the key: k = m © c. Quantumly, each quantum bit has two 
classical key bits to learn. Due to Holevo's theorem [[Tl|] it may seem that this implies that there is 
no way to learn the classical key exactly. This intuition is not correct. Alice can learn Bob's key 
in the following way. Alice prepares n singlets and gives half of each singlet to Bob. Bob encrypts 
them using the simple quantum one time pad and returns them to Alice. Alice can learn the key 
exactly by measuring each former singlet in the bell basis. The outcome would tell Alice exactly 
which transformation Bob applied. This protocol corresponds exactly to the superdense coding 
scheme [flOfl. 

Interestingly, some insight is gained as to where the factor of two between the number of 
classical and quantum bits comes from in both encryption and teleportation. In the case of 
classical bits, p is diagonal. A basis for all diagonal matrices is Z@. Hence, for encryption of 
classical bits there are only 2 n equations. In the quantum case, by lemma |5.1| , there are 2 2n 
equations to satisfy, so it is not too surprising that there are twice as many classical bits needed. 
Equivalently, the log of the size of the space is twice as large quantumly as opposed to classically. 
The proof given here could be particularized to give a new proof of Shannon's original result on 
informationally secure classical encryption ||. 

8 Discussion 

We have presented an algorithm for using 2n secret classical bits to secure n quantum bits. These 
encrypted quantum bits may now be held by an untrusted party with no danger that information 
may be learned from these bits. Any number of applications may be imagined for this algorithm, 
or class of algorithms {pf., Ui-}. For instance, rather than using random classical data of size 2n, 
one could use a secret key ciphers Jl~2[] or stream ciphers] 12 1 to keep a small finite classical key, for 



instance 256 bits, to generate pseudo-random bits to encrypt quantum data. In fact, these notions 
allow for straight-forward generalizations of many classical protocols to quantum data. Quantum 



secret sharing has been developed |13| that may be used to share quantum secrets. Classical secret 



sharing schemes are known that are informationally secure [14]. By encrypting a quantum state 
of n bits with 2n classical bits, and then using classical secret sharing on the 2n bits, one may use 
these informationally secure classical methods in the quantum world. This protocol would allow 
users with only classical resources to perform secret sharing given an untrusted center to store 
the quantum data. One application independently suggested by Crepeau et. al.|[^] is to build 
quantum bit commitment schemes based on computationally secure classical bit commitment 
schemes. 
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